postfix, procmail and SELinux - No Go

Tue May 30 19:05:08 UTC 2006

On Tue, 2006-05-30 at 13:41 -0500, Marc Schwartz (via MN) wrote:
> On Tue, 2006-05-30 at 16:32 +0100, Paul Howarth wrote:
> > Marc Schwartz wrote:
> > > Hi all,
> > > 
> > > I took advantage of the long weekend here in the States to finally 
> > > update to FC5.  All went well in general, however it has become apparent 
> > > that procmail is problematic with SELinux enabled.
> > > 
> > > fetchmail and postfix work fine in terms of getting my e-mail from 
> > > multiple POP3 accounts. However local (~/.procmailrc) procmail filtering 
> > > does not.
> > > 
> > > My FC4 configuration files, with a few edits to reflect some path 
> > > changes for postfix, now work fine with SELinux disabled. I was not 
> > > running SELinux on FC4 and all worked fine there.
> > > 
> > > I found other FC5/SELinux posts where others have had similar problems 
> > > and disabling SELinux solved them.
> > > 
> > > This is on a fully updated FC5 system as of the writing of this post.
> > > 
> > > Is there a policy update pending to resolve this issue or some temporary 
> > > steps that can be used in the interim, short of disabling SELinux entirely?
> > 
> > I'm using procmail with sendmail on FC5. and whilst there were 
> > significant problems getting it to work with the out-of-the-box policy, 
> > it's mostly fixed now. The only local tweaks I do to policy are to add 
> > the ability to write a log file to /var/log (probably peculiar to me), 
> > to allow it to forward mail by calling sendmail (I think policy still 
> > doesn't allow reading of the /usr/sbin/sendmail -> /etc/alternatives/mta 
> > symlink, which pretty much most procmail users will need), and to allow 
> > programs called from procmail to create temporary files.
> > 
> > If you run SELinux in permissive mode and post the AVCs that get logged 
> > when procmail is running, it should be possible to get this fixed.
> 
> Paul,
> 
> Thanks for the reply.
> 
> I have re-booted with SELinux in Permissive Mode.
> 
> However, while procmail is working still, I see no avc messages at all
> in /var/log/messages that would seemingly be related here. There are
> other avc's there, most of which appear to be related to the boot
> process and the relabelling of files subsequent to having disabled
> SELinux earlier.
> 
> Is this something more subtle or is there someplace else that I should
> be looking?

Perhaps you have auditd running, and have AVCs logged
to /var/log/audit/audit.log instead?

> BTW, on a separate and possible SELinux related issue, I had noted that
> the Evolution Data Server was crashing after I first installed FC5 with
> SELinux enabled.  For the time this morning that I had SELinux disabled,
> I was not getting the crash.  Didn't make the association initially, but
> now that I have it re-enabled in Permissive Mode, it's crashing again.
> No avc's in the log here either.

Don't know what's happening with that. Having SELinux in permissive mode
should behave almost identically to disabled mode really.

Paul.